The Centers for Medicare and Medicaid Services (CMS) reported a data breach to the Department of Health and Human Services (HHS) that affected 3,112,815 people. This breach, initially announced by CMS and Wisconsin Physicians Service Insurance Corporation (WPS) earlier in September, was due to the exploitation of a zero-day vulnerability in the MOVEit Transfer software. The Clop ransomware group exploited the vulnerability in a massive attack in May 2023, affecting thousands of organizations, including CMS’s contractor WPS.
In the initial announcement, CMS and WPS disclosed that 946,801 individuals were being notified about the breach. However, on the same day (September 6, 2024), CMS submitted an updated report to HHS on behalf of WPS, which revealed that the actual number of affected individuals was more than three times higher than originally stated. CMS mentioned that the difference was attributed to the data of deceased individuals kept by WPS. WPS also gathered data from non-Medicare beneficiaries as part of its services for CMS. The 946,801 figure represents current Medicare beneficiaries who were notified that some of their protected health information (PHI) and personally identifiable information (PII) was compromised, while the larger figure includes all affected individuals.
The security breach occurred in May 2023 and involved the exploitation of a zero-day vulnerability in MOVEit Transfer, a software tool developed by Progress Software that WPS used to transfer files related to its administrative services for CMS. WPS handles Medicare Part A and B claims processing, making the breach especially impactful. Progress Software issued a patch on May 31, 2023, to address the vulnerability, but by that time, the Clop ransomware group had already exploited it, stealing data from thousands of MOVEit users.
According to cybersecurity firm Emsisoft, the MOVEit breach affected at least 2,773 organizations and compromised the personal data of nearly 96 million individuals. Among the worst-hit organizations were Delta Dental of California and its affiliates (6.9 million), Welltok (10 million), and Maximus (11.3 million individuals). 39% of victims are from the education sector, while 20% are from the healthcare sector.
CMS had previously reported being affected by the MOVEit breach through its contractor Maximus, with that breach impacting 2,342,357 individuals. The latest report regarding WPS represents a separate incident, although both resulted from the same exploitation of the MOVEit vulnerability.
Progress Software notified WPS concerning the vulnerability on May 31, 2023, and promptly used the patch. Following this, WPS launched an investigation to determine whether its systems had been compromised. Their 2023 investigation found no evidence of data theft from its MOVEit application.
In May 2024, a year after the vulnerability was discovered and fixed, new evidence emerged, prompting WPS to review its MOVEit system with the help of a third-party cybersecurity company. This second investigation confirmed that while the vulnerability had been patched in early June 2023 and there was no unauthorized access that occurred after that point, the Clop group did exploit the vulnerability from May 27 to May 31, 2023, before the patch being applied.
A portion of the files exfiltrated during the breach was reviewed and no personal information was found. However, on July 8, 2024, while inspecting another set of files, WPS discovered personal data belonging to Medicare beneficiaries and promptly notified CMS.
The breach exposed sensitive personal and healthcare-related information. The compromised data includes the names of Medicare beneficiaries, and one or more of these data elements: individual taxpayer ID numbers, Social Security numbers, dates of birth, mailing addresses, gender, hospital account numbers, dates of service, health insurance claim numbers, and Medicare Beneficiary Identifiers (MBI).
CMS and WPS are continuing their investigation with the help of law enforcement agencies and cybersecurity experts to determine the full extent of the breach and to prevent future incidents. As part of the requirements of HIPAA certification, WPS has begun notifying the affected individuals and offering them free access to credit monitoring and identity protection services for a year.